|
For this example, we wanted to
build in flexibility. Flexibility to provide your login form on any page
and also to create the session objects when new users create an account
and then to direct them to the protected page they were requesting. With
some minor modifications, you can extend this example in many ways.
We have created the following
pages:
> logon.asp
> logonvalidation.asp
> passprotect.inc
> protected.asp
> register.asp
> registerentry.asp
In addition, we have created a
database with one table called "Customers" and a database connection in
FrontPage called "store". The Customers table contains two fields:
username and password.
We are going to explain all the
pages here and then let you view the example.
logon.asp
This page is a simple form that contains two text
input fields: username and password. The form submits to
logonvalidation.asp. Here is an example:
This form can be placed on any page in your web but
you should have a page with only this form on it in case your user
tries to go to a protected page without first logging in. The code in
the protected page will send the user to the logon.asp page. Once
logged in, the user will be sent to the originally requested page.
logonvalidation.asp
This page checks the user information against the
database, creates the users session objects and then directs the
logged in user to the originally requested page if there was one. In
case there was not, we have provided a list of links to our protected
pages they can click on (this will be the case if you provide a login
form on your home page and the user simply logs in prior to trying to
visit any of your protected pages).
Here is the code that does the work.
Paste this into HTML view above the <HTML> tag and before any other
code:
<%
'First we create a connection object
Set Conn = Server.CreateObject("ADODB.Connection")
'Next, we open the connection object by calling the connection string
'that FrontPage created and stored in the global.asa file when the
"store"
'connection was created
Conn.Open Application("store_ConnectionString")
'Then we create a
record set object and a SQL statement
Set RS = Conn.Execute ("SELECT * From Customers WHERE username = '" &
Request.Form("username") & "' AND password = '" &
Request.Form("password")
& "'")
'Loop through the
database to check for the users information
Do until RS.EOF
Pass = RS("Password")
Name = RS("username")
RS.MoveNext
loop
'Close the recordset
and database connection
RS.Close
Conn.Close
'If the password given
is not in the database then we don't do anything.
'Otherwise, we create the session objects
IF pass = "" Then
Message = "The Password you entered is either wrong or not found in
our database. Please press the BACK button and try again."
Else
Session("Password") = Pass
Session("username") = Name
'Now we will check to
see it there is a session object for an original URL.
'This would have been created (as you will see later) if the user
first tried
'to visit a protected page. If so, we send them there. If not, we stay
here.
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session("Ori_URL"))
End IF
End IF
%>
Now, add your links
for your password protected pages to this page. Remember, if the user
first requested a password protected page, they will automatically be
sent there and will never see this page.
In the above code,
if the user does not enter a password, they will still see the list of
links. In order to show them there was an error, we added a message in
the above code after IF pass = . Now, add the following in to the body
of your HTML to display the appropriate message:
<%
IF Message = "" Then %>
<table width="60%">
<tr>
<td width="100%"><b><font face="Arial">You have been logged in as:
<% Response.Write
Session("username") %></font></b><p>
<b><font face="Arial">Please select a page to go to:</font></b></p>
<p> > <a href="protected.asp">protected.asp </a></td>
</tr>
</table>
</center>
</div>
</td>
</tr>
</table>
<% Else %>
<table width="60%">
<tr>
<td width="100%"><%
Response.Write Message %></td>
</tr>
</table>
</center>
</div>
</td>
</tr>
</table>
<% End IF %>
If the Password is
blank or not found in the database then we tell the user to try again.
Otherwise we show them the list of links or send them to the page they
originally requested. If the password is blank or not found in the
database then we never create the session object.
passprotect.inc
This is an include
file that you will use for the top of each page that you want to
password protect. The easiest way to create this is in Notepad. Once
you import this into FrontPage, change the name of the page from
passprotect.txt to passprotect.inc. Here is the code:
<%
'First we check to see if the user is logged in
IF Session("Password") = "" THEN
'If their session is
empty then we create a session for the current URL they were
requesting
Session("ORI_URL") = Request.ServerVariables("Path_Info")
'Then we redirect them
to the login page
Response.Redirect("logon.asp")
Else
End IF
%>
To add protection
to your ASP pages, place the following line of code at the top of each
page before any other HTML tags:
<!--#INCLUDE File="passprotect.inc"-->
protected.asp
In order to protect
a page in the fashion we are, it has to be an ASP page. To protect the
page, simply copy the code mentioned above at the VERY TOP of the page
in HTML view. Here is the code again:
<!--#INCLUDE File="passprotect.inc"-->
register.asp
This page is
provided to allow new users to register a user name and password. This
is a simple form that submits to registerentry.asp for processing.
Create the form exactly like you did the login form. Set the form
properties to "Send to Other", click the Options button and in the
Actionbox type: registryentry.asp
registerentry.asp
This page will
accept the register information, write it to the database, create the
session objects and also send the newly registered user to the
originally requested page if there was one.
First, we will
create the session objects. Place the following code in the head of
the document just below the first <head> tag:
<%
Session("Username") = Request.Form("UserName")
Session("Password") = Request.Form("Password")
%>
Second, we will use
the database results wizard to write the data to the database:
Click Insert >
Database > Results.
Select the store connection and click Next
Select Custom Query and click the Edit button
Enter this statement: INSERT INTO Customers (username, password)
VALUES ('::username::', '::password::')
Click OK and go to step three.
Click More Options and remove the message
Click OK and then Next to go on to step four
Select the List formatting option and uncheck the boxes
Go on to step five where you will uncheck the Add Search box
Click Finish
You should now have
a database results region on your page with only two yellow bars.
Finally, at the
bottom of the page in HTML view, above the </body> tag, we will insert
the following code:
<%
If Session("Ori_URL") = "" Then
Else
Response.redirect(session("Ori_URL"))
End If
%>
You may also want
to provide links to your protected pages here as well in case the user
did not get here by selecting a protected page initially.
Here are some final bits of information:
A session object is a method of maintaining state
which is the act of preserving information from one page to another.
Session objects are only maintained for the length of time that the
user has their web browser open or when the server times the session
out (which ever comes first). By default, IIS times inactive sessions
out after 20 minutes. Session objects are held in the servers memory.
Logon.asp
register.asp
protected.asp |
